Data transfer to the USA: an endless story with a lot of risk – current! The US-EU Privacy Shield

von Rainer Aigner

It took a long time, but now it actually happened that the Austrian lawyer Max Schrems brought the data transfer to the USA before the ECJ again. He was right again. The so-called “Schrems2” judgment of the ECJ, with which the US-EU Privacy Shield was overturned, is currently stirring up data protection officers and companies. In our blog article and video you will find out everything you currently need to know about EU-US privacy. We’ll also tell you what to look out for in the company!

The official statement in a press release by the DSK (data protection conference of the independent data protection supervisory authorities of the federal and state governments) on July 28, 2020 reads:

“In its judgment of July 16, 2020 (Case C311 / 18), the European Court of Justice (ECJ) declared the European Commission’s decision 2016/1250 on the transfer of personal data to the USA (Privacy Shield) to be ineffective that Commission Decision 2010/87 / EC on Standard Contractual Clauses (SCC) is still valid in principle. ”

Safe Harbor Agreement: the predecessor of the US-EU Privacy Shield

At this point it is worth taking a quick look back: Long before this judgment, even long before the introduction of the GDPR, more precisely since 2000, the so-called “Safe Harbor” agreement was in place, which was intended to legitimize the exchange of data between the EU and the USA . The name Agreement comes from the fact that this was agreed between the EU and the USA. In essence, this agreement meant that when personal data were exchanged between the EU and the USA, EU citizens were granted the same, or shall we say, similar rights in dealing with the data stored and processed in the USA as the EU Provided by legislation. A rogue who thought evil at the time, because the legislation in the USA at that time guaranteed the US government sufficient access rights to data that were in the USA.

The USA does not have any comprehensive legal regulations that would correspond to the standards of the EU in this regard. This was made worse by the attacks of September 11th and the massive increase in the law of the US government through the so-called “Patriot Act”.

Anyone who brought their personal data to the USA by whatever means had to live with the fact that the US government, under certain conditions, but with all possible consequences for individual natural persons, can access them in full, data, photos, chat logs , IP addresses, it doesn’t matter.

Rejection also by the Düsseldorfer Kreis

Even back then, data protectionists were of the opinion that the “Safe Harbor” agreement was actually a farce. The so-called Düsseldorfer Kreis, i.e. the association of data protection supervisory authorities, had also declared in April 2010 that data exporters in Germany should not rely on the claims of Safe Harbor certification by US companies and demanded specific minimum standards that are guaranteed and on request the supervisory authorities must also be proven.

Even after Edward Snowden described in detail in 2013 that US secret services such as the NSA and other authorities can completely unabashedly access the servers of US corporations such as Facebook and Google, Safe Harbor was adhered to by politics and business.

An agreement that was only used as a political cover for an actually monstrous approach by the US government. This bothered a then 28-year-old Austrian lawyer named Max Schrems. In 2015 he successfully sued the ECJ. The Safe Harbor Agreement was declared invalid at this point in time by the “Schrems1” judgment.

Privacy Shield – Ineffective protection with announcement

As a result, with the effectiveness of this ruling, any data transfer from the EU to the USA based on the Safe Harbor Agreement (and most of them were) were inadmissible. For companies even then, even before the draconian fines of the GDPR, a real economic risk. Because you could negotiate a fine as an entrepreneur with the data export to the USA, without a sufficient legal basis, which also happened occasionally. At that time, only a few companies had other effective legal instruments in use, such as the “Binding Corporate Rules” (BCR) or the EU standard contractual clauses.

Politicians reacted promptly and obviously knitted something new with a very hot needle. The idea of ​​the “EU-US Privacy Shield” was born. After all, a successor to the now unfortunate Safe Harbor Agreement was needed quickly.

Mind you, the Privacy Shield is not a contract!

It is simply again “just” an agreement between the EU and the USA which – as far as that was clear, just like the old agreement, should protect the rights of EU citizens when data is transferred to the USA. Personal data should at least have rights similar to those that apply in the EU if they reach the USA via social networks, cloud storage, medical devices or whatever route they take. The US government should stay away from this data. Here, too, applies again: A rogue who thinks badly because who seriously believed that the US authorities forgot their politically hard-won, full access rights to data of EU citizens. The problem starts with the differentiation of the data.

How are US authorities supposed to differentiate between data from US and EU citizens when accessing databases from Facebook & Co.?

Self-certification under criticism

Even the new certification process that was quickly created for US companies that “submit” to the EU-US Privacy Shield was more than dubious. It was just a self-certification! I.e. Filling out and submitting a questionnaire to the US Department of Commerce was easily enough to obtain this certification. It should be noted that the respective US company then “guaranteed” to adhere to EU standards in data processing. – The company, still not the US government! How, please, should a company guarantee this when existing laws of the US government guarantee these access rights, which the EU actually forbids in its laws?

The bottom line about the Privacy Shield is that it was “old wine in new bottles”. Politics had failed here and had done a disservice. In terms of content, the Privacy Shield was no more valuable than the Safe Harbor Agreement, which had long since become invalid. Another farce!

So it was foreseeable that this construct would not last long either. Max Schrems sued the ECJ again in 2020 and criticized precisely this. Again with success. In the so-called “Schrems2” judgment (judgment of July 16, 2020, Az. C-311/18), the Luxembourg ECJ judges also declared the Privacy Shield to be invalid.

A quick look into the details of the verdict

The Austrian lawyer had complained to the Irish data protection authority that Facebook Ireland forwards its data to the parent company in the USA. He justified his complaint by stating that Facebook in the USA was obliged to make the data accessible to US authorities such as the NSA and the FBI – without those affected being able to take action. An Irish court wanted to know from the ECJ whether the so-called EU standard contractual clauses and the EU-US data protection agreement “Privacy Shield” would do justice to the European level of data protection.

The judges found that the Privacy Shield did not guarantee an adequate level of data protection. In view of the extensive access options of the US authorities, the European requirements for data protection for user data transferred to the USA are not guaranteed. In addition, legal protection for those affected is inadequate if those affected overseas want to take legal action against the reading or use of their data.

What remains? – Legal basis

However, the judges of the European Court of Justice recognized the so-called EU standard contractual clauses as an acceptable, valid legal basis. If this contract (no, no agreement, no arrangement, this is really a CONTRACT!) Is concluded between the data exporting company in the EU and the data importing company in the USA, then that’s still ok from their point of view. The EU standard contractual clauses are a contract template created by the EU that can be used for data exchange. Just like the so-called Binding Corporate Rules (BCR). These are usually between large corporations from the EU area with branches or plants in the USA. They have been common for many years, but unfortunately they are also a rarity.

Both the EU standard contractual clauses and the BCRs therefore continue to apply as a valid legal basis for data exchange to the USA. Incidentally, Microsoft has always been a positive example here. Their services, such as Office 365, have long been based on the standard contractual clauses and not on an EU-US Privacy Shield certification.

If you now follow this, you would simply have to check your previous workflows, processes, software products, apps, etc. to see which companies behind these applications have so far relied on the EU-US Privacy Shield certification and in the publicly accessible list are registered at These companies would have to switch to the EU standard contractual clauses.

This is exactly what is currently happening! Companies like Google have been sending emails to customers with the following wording:

“Dear partner,
As a result of the recent Court of Justice of the European Union ruling on data transfers, invalidating the Privacy Shield, Google will be moving to Standard Contractual Clauses (SCCs) for transfers … ”

Alternatively, the instrument of voluntary consent would of course still remain in data protection, which is often difficult to implement in practice.

Is it really that simple?

Hardly, because the EU standard contractual clauses are also on the brink. At the end of the day, US authorities’ extensive access rights are likely to remain. It remains to be seen whether a “Schrems3” judgment will follow. The judges of the ECJ also made this clear. The standard contractual clauses can only be used as a sufficient legal basis if they offer sufficient protection. A German data protection supervisory authority has already commented on this: “In the event that US security laws that conflict with EU data protection law are applicable to all data transfers from the EU to the USA, the level of protection in the USA as a whole can not be considered as The level of protection prevailing in the EU should be regarded as equivalent. In this case, the standard contractual clauses, as they are formulated, do not represent suitable guarantees for data transmission to the USA. ”

And to obtain the remaining valid (!) Consent from each individual natural person is often not feasible in practice. Even if, on closer inspection, there is a lack of voluntariness or revocability and the entire consent is therefore ineffective.

It would now be time for the EU and the US government to sit down at the negotiating table once more. The aim must be to create a real and, above all, long-term, viable solution that will restore confidence in US services. However, it is more than questionable that this is currently happening under the Trump administration. Nevertheless, as is well known, hope dies last.

Oh yes, how did the Americans react to the judgment? They simply say: “We regret the verdict, we are happy to explain again how the US laws work, but actually we are not interested and we will continue as before.” Read here:

So what can a company still do to be on the safe side?

First of all, there is no real security here. This is shown by the above Executions. One can only approximate data protection security at the moment.

Processing activities

You have to check all processing activities in your company to see whether they are taking place on the basis of the EU-US Privacy Shield as the previous legal basis. This applies to all processes, software, apps etc. which process personal data. These are (hopefully) already documented in accordance with GDPR Art. 30 (1) and are therefore easy to identify.

Check or create legal basis

One then actually has to resort to the EU standard contractual clauses wherever possible. Where US companies offer this of their own accord, e.g. Microsoft or Google, that’s good. Here it is necessary to change the legal basis in the data protection documents (processing activities). Where US companies do not offer this, write to them actively and request them!
Danger! It is essential to check whether the EU standard contractual clauses can even be used as a valid legal basis. Whether this is the case can be found out very well using a FAQ list that the data protection supervisory authority Rhineland-Palatinate recently published, here the link:

Check subcontractors

In many cases, German companies work together to exchange data with supposedly German companies, this is done in the context of so-called order processing. However, these processors often use subcontractors such as data center operators or cloud storage based in the USA. This data transfer also takes place on the basis of the earlier Privacy Shield. So you also have to check the processors and, above all, the subcontractors! By the way, according to the GDPR, processors are obliged to disclose their subcontractors. This can usually be found as a list in the contract annex. Subcontractors would therefore also have to offer the EU standard contractual clauses.

draw consequences

In the worst case, cease data processing with the processors concerned and actually switch to European providers. This should of course be the last option, but under current case law it is often the only way to avoid the risk of fines as a company.

Open your eyes when choosing a partner!

In the future, when choosing external service providers, pay more attention to the fact that the service providers or their subcontractors who process data are not located in the USA, but in the EU or in other secure third countries.


Most companies face major challenges in reacting in compliance with data protection regulations. We are happy to support you in this, for example by checking your processing activities. Just contact us.

You can find our video on the EU US Privacy Shield and other exciting topics from data protection and IT security on our YouTube Channel.

By viewing the video, you agree that data will be transmitted to YouTube and you accept the privacy policy.
Rainer Aigner

„Egal ob Sie einen externen Datenschutzbeauftragten oder Beratung zu Datenschutz oder mehr IT Sicherheit benötigen. Durch meine langjährige Erfahrung als Datenschutzbeauftragter oder Berater im Betrieb hochsicherer Rechenzentren + IT Infrastrukturen mit den erforderlichen Schutzmaßnahmen auch in hochsensiblen Bereichen, stehe ich Ihnen mit meinem KnowHow und meiner umfassenden Erfahrung in Datenschutz und IT Security zur Verfügung. Dabei liegt mir immer Ihre Zufriedenheit am Herzen. Sprechen Sie mich an – gemeinsam finden wir die ideale Lösung.“